Lodash version 0.10.0 represents a subtle yet noteworthy update from its predecessor, version 0.9.2. Both versions remain committed to Lodash's core mission: providing a comprehensive utility library designed for consistency, customization, enhanced performance, and a wealth of helpful extras for JavaScript developers. Key metadata, such as licensing under the MIT license and the project's location within the lodash GitHub repository, remain consistent. The author and maintainer, John-David Dalton, also remains the same, ensuring continuity in project direction and quality.
The primary distinction lies within the version number itself and, naturally, the code changes accompanying it. While specific code-level changes aren't detailed in the provided metadata, the semantic versioning system (where a bump from 0.9.2 to 0.10.0 signifies a minor release) suggests the introduction of new features or minor improvements without breaking backward compatibility. Developers should anticipate that upgrading from 0.9.2 to 0.10.0 should be relatively seamless.
The release timestamps also offer a subtle point of interest. With only a few minutes separating release dates, it suggests that version 0.10.0 addressed some urgent and important things discovered right after putting version 0.9.2 on the npm registry. For developers already using Lodash, upgrading to 0.10.0 is advisable to leverage these enhancements, while new users can confidently choose either version, keeping in mind that 0.10.0 likely incorporates the latest improvements and refinements prior to potential further development.
All the vulnerabilities related to the version 0.10.0 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.